Feb 11, 2025
•
Case Study
Blend turned to Opal to implement a deterministic access management solution grounded in clear, transparent boolean logic.
Matthew Jackson
Security Ops and Engineering Manager
1-5k
Employees
Public
Stage
Blend
Blend is a leading digital origination platform that transforms banking experiences across mortgages, consumer loans, and deposit accounts. Powering billions of dollars in financial transactions daily, Blend is trusted by large banks, credit unions, and fintech companies alike to provide seamless, secure, and user-friendly customer experiences. With identity security paramount to enterprise success, Blend embarked on a journey to innovate its access management processes.
The Challenge
Before working with Opal, Blend managed access to internal resources (e.g., software, systems, and data) with an in-house tool, “Blend Approvals.” While the tool helped manage access requests somewhat, it still relied heavily on manual approvals. The result was an approval process that could be slow, inconsistent, and vulnerable to human error — creating gaps in Blend’s overall security posture. This, combined with a general lack of transparency company-wide around the access process, spurred Blend’s Security Operations and Engineering Manager Matthew Jackson and his team to take action.
“We didn’t want approvals to be based on a mindset of: Well, what did we decide two weeks ago in some random meeting? And we also didn’t want approvals to be based on mood — everyone knows that the way to break into any company is just to ask the security person for access on a Friday afternoon, when they’ll be in a better mood and more willing to grant it than on a Monday morning,” said Matthew Jackson. “We needed to turn our access flows into something on paper, transparent, and easy to dive into and critique.”
Blend not only wanted a smarter, more efficient access management process — but also better protection against identity-based threats. As a leading company in the highly regulated financial services and lending space, Blend was founded with a deep understanding that its pace of productivity would need to outpace the productivity of the adversary in order to be successful. That meant staying at least one step ahead of hackers or other threat actors who may intend to target gaps in Blend’s security posture. As such, the team knew that implementing an automated access management solution would help Blend get to its goal of boosting employee productivity and sealing any gaps in its cybersecurity posture in the process.
“By freeing up that time, we’re also making ourselves more secure,” said Jackson.
Blend Requirements At a Glance:
Deterministic, logic-based access management solution grounded in clear, transparent boolean logic
Off-the-shelf
Compatible with infrastructure as code (IaC)
Scalable
User-friendly
The Solution
“Opal provided us with an off-the-shelf solution. We knew it would be naive to continue to make it ourselves [...] We trusted that Opal could ace this for us.”
-Matthew Jackson, Security Operations and Architecture Manager at Blend
When their mutual VC investor, Greylock, introduced Blend to Opal, it was a no-brainer to adopt the technology. “ Our in-house tool was good,” said Jackson, “but Opal can now carry that torch.”
Implementing Opal companywide was an easy, quick process. Within just a couple of months, Blend could use Opal to rely fully on a deterministic, logic-based access model: if X, then yes; if not X, then no. This framework allows Blend to automate access decisions via the principle of least privilege, with clear, traceable reasoning behind those decisions. With all access patterns and controls defined in code — via infrastructure as code (IaC) tools like Terraform — the process is deterministic and transparent.
Opal also easily integrated existing identity and access management solutions, such as Okta and Twingate, which streamlined the employee access experience. Opal ingested user and access metadata from Okta in a matter of hours, providing visibility and control into end systems that were most at risk.
Today, Blend can automate adding users who have passed certification tests to the appropriate Okta groups. Plus, users are automatically denied access to specific resources until they pass required training. Once completed, they are automatically granted appropriate access by being added to the relevant list of users. This process has removed friction for employees, drastically reduced the manual labor involved in tracking compliance, and sealed existing security gaps left by overprovisioning.
As a company that values a culture of radical candor and collaboration, Blend also made sure to implement Opal in a way that empowers employees to contribute to an ongoing, proactive improvement process. While the predefined attributes make it easy for employees to understand why they were granted or denied access, they can easily request changes if they think that logic is wrong. Due to the IaC approach, it’s simple to make changes when needed. What’s more, Blend introduced an Opal request form (powered by Google Forms), which employees can quickly fill out for any new applications that they want that they don’t yet see in Opal.
The Impact
Opal has become the seamless front-door experience for all of Blend’s employees, both technical and non-technical, to gain access to resources. That’s meant a boost for productivity, since employees no longer need to spend hours waiting for access approval. Plus, the team knows all access decisions will be based on sound logic.
Organization-wide, working with Opal is also powering faster user access reviews (UARs). Jackson said he and his team are no longer “worrying about if we’ve dropped the ball on access, or if someone’s the bottleneck, or that we’re not compliant.” Instead, they can focus on more strategic initiatives.
In addition, with a clear and traceable record of who has access to what and why, compliance audits have become significantly less labor-intensive. “A lot of manual labor is involved in these compliance frameworks,” said Jackson. “Opal has drastically reduced that. All we need to focus on is a list of users.”